Posted
by
Unknown Lamer
on Monday June 10, 2013 @06:50PM
from the mundane-bad-news dept.

chicksdaddy writes "When reports surfaced about 'BadNews,' a new family of mobile malware that affected Google Android devices the news sounded — well — bad. BadNews was described by Lookout Mobile Security as a new kind of mobile malware for the Android platform-one that harness mobile ad networks to push out malicious links, harvest information on compromised devices and more. Now, six weeks later, a senior member of Google's Android security team claims that BadNews wasn't really all that bad, after all. Speaking at an event in Washington D.C. sponsored by the Federal Trade Commission, Google employee and Android team member Adrian Ludwig threw cold water on reports linking BadNews to sites that installed malicious programs. The search giant, he said, had not found any evidence linking BadNews to so-called SMS 'toll fraud' malware."

All malware is bad. Sure, it could be catastrophic, but it could also just serve as a trojan for other pieces of malware. This one doesn't turn out to be as bad as the press makes it sound (big surprise), and Google claims it isn't anything much to worry about (another big surprise). So we know that the truth lies somewhere in the middle.

The application asked for permission to send sms (and potentially cost you money).

It's not malware if it tells you exactly what it's going to do, and then does it with your explicit permission (not that it even did that since it was only a proof-of-concept app). It's only a malware app if someone else has temporary possession of your phone, plus its pin number, and then installs the application just to cause you harm without you knowing.

This is the biggest reason why I won't be moving to Android anytime soon. On iOS, it'll ask for permission when it needs to send something, and I can stop it. There are plenty of apps that require permissions that I only want to give access to occasionally. If an app wants access to my pictures, I tell it what pictures it can access. Same with contact information. Giving apps blanket access at install time is brain dead.

The up front permissions is better than nothing but it's not good enough.

Android really needs to ask the user to grant / deny a permission each time it is accessed, with a checkbox to remember the decision. Some apps can be incredibly annoying, such as Facebook which is constantly turning on GPS which saps battery power. I should be able to disable that permission and force it to use a less precise location system or none at all. Another app might have a genuine need to launch the dialler, to call someone

Ad networks will always be a potential vector of infection and since many, if not most, apps on Google Play (and iOS) that are free will have ads from a major ad network, it means that any application can potentially give you malware with no fault of the application developers themselves.

Often when there is a major security issue in a software product, there is a marketing that follows in the next few weeks saying it wasn't really as big a deal as the researchers originally claimed. Normally they state how the issues raised don't really apply in the real world. Often the phrase 'Threw cold water' is used. This is done as a distraction and PR exercise to deflect from the fact that the company does not wish to invest the time and effort into fixing the issue.

`Speaking at an event in Washington D.C. sponsored by the Federal Trade Commission, Google employee and Android team member Adrian Ludwig threw cold water on reports linking BadNews to sites that installed malicious programs. The search giant, he said, had not found any evidence linking BadNews to so-called SMS 'toll fraud' malware."'

I actually agree with them on this one. This malware wasn't as bad as the recent disclosure of Google's involvement in a top-secret U.S. Government mass surveillance program that has been going on for several years now.